Progress Toward a Password-less Future

ymassard@hidglobal.com's picture

Passwords remain a significant cybersecurity risk for organizations of all sizes.

With Password-related attacks on internet-facing applications as well as internal applications ranging from phishing, guessing weak passwords, password stuffing and keyloggers to rainbow tables, social engineering, and more; it’s no wonder the cybersecurity industry has been working for so long on providing better, stronger and more user-friendly authentication solutions.

Moving to a password-less world is a complex journey given that passwords have been in use with computers for more than 50 years. Recently, a major step toward that goal was accomplished with the finalization of FIDO2 by the FIDO Alliance and the World Wide Web Consortium (W3C).

FIDO2 focuses on providing fast, secure, easy-to-use authentication that resists phishing attempts and protects the privacy of users. The standard is designed to offer choices to consumers and enterprises while keeping it simple for application developers to add support for FIDO2. It enables many different form factors including contactless smart cards, USB keys, Bluetooth devices or apps running on your mobile device. The user-presence verification can be accomplished by pressing a button, waving your card, verifying your biometrics or entering a PIN code depending on what your FIDO2 authenticator is enabled to support.

The standard is more secure than passwords because it eliminates the secret shared between the application and the user. Instead, the FIDO2 authenticator has a private cryptographic key and the application has the associated public key. When the user attempts to authenticate, the FIDO2 authenticator digitally signs in with a private key using data sent by the application. The application then uses a public key for the user to verify that the signature is valid. Since the private key lives on the FIDO2 authenticator, a hacker would need to steal the FIDO2 authenticator to impersonate the user. Each FIDO2-protected application has a different public key assigned to each user. FIDO2 also employs mechanisms to protect against man-in-the-middle attacks.

All the major web browsers have already implemented this new security standard. Web based and native applications can now start implementing support for FIDO2 confident that the standard is stable and widely implemented.

Microsoft recently published a white paper, An Overview of Password-less Authentication, that describes how to achieve password-less authentication in Windows with FIDO2 which includes a list of third-party FIDO2 Security Key vendors including HID Global. Microsoft has started implementing support for FIDO2 authentication in Windows 10 and announced a public preview in 2019. HID’s upcoming new generation of authenticators will support that capability.

While those steps are significant, there is still much to do before we can be free of passwords. HID’s approach is to create authenticators — smart cards, smart USB tokens, mobile apps and other form factors — that are future-proof by adopting FIDO2 standards while also supporting existing standards like PKI/PIV and OATH. Organizations can deploy improved security today and be ready to transition to FIDO2 when the time is right for them.

To learn more about FIDO2, view our webinar: How FIDO is Making the Organizations More Mobile and Secure.

Get the latest blogs on identity and access management delivered straight to your inbox. Sign up here.

In this role, Yves is responsible for the Product Marketing effort for HID Global’s Identity and Access Management (IAM) government business. During his time with HID, Yves was involved with the creation of the US DoD Common Access Card, and ActivID CMS — the market leading PIV credential management system and ActivClient, the market-leading middleware. Yves received a Masters Degree in Computer Science from the Institut National des Sciences Appliquées de Rennes and an MBA from Saint Mary’s College, California.